[Bastille-linux-discuss] Iptables config on Bastille for dummies
This tool locks down Linux and UNIX systems.
Brought to you by:
jay
From: Edward W. R. <su...@mm...> - 2003-10-31 23:26:25
|
I have always met with difficulty implementing the firewall scripts in Bastille. My Linux box is a ssh (tcp port 22), mail (tcp port 25), dns (tcp and udp port 53), pop3s (tcp port 995)server to outside world, also squid proxy (tcp port 3128), x (tcp port 6000-6020?) and nessus (tcp port 1241) internal. Ntp (udp port 123) is also needed. System currently has two NICs NAT mapped to a Netscreen firewall. The NAT addresses are 192.168.1.221 (eth0) and 192.168.1.222 (eth1) corresponding to 24.199.20.221 (ns2.mmicman.com) and 24.199.20.222(mail.mmicman.com) respectively. I may have missed a few, but here is a list: tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:9098 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN tcp 0 0 192.168.1.221:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:10200 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1241 0.0.0.0:* LISTEN tcp 0 0 192.168.1.222:25 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN tcp 0 48 192.168.1.221:22 192.168.1.99:1497 ESTABLISHED tcp 0 0 192.168.1.221:22 192.168.1.101:1530 ESTABLISHED udp 0 0 0.0.0.0:32776 0.0.0.0:* udp 0 0 0.0.0.0:10000 0.0.0.0:* udp 0 0 0.0.0.0:916 0.0.0.0:* udp 0 0 192.168.1.221:42672 0.0.0.0:* udp 0 0 192.168.1.221:53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 0.0.0.0:3130 0.0.0.0:* udp 0 0 192.168.1.222:123 0.0.0.0:* udp 0 0 192.168.1.221:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* raw 0 0 0.0.0.0:6 0.0.0.0:* 7 raw 0 0 0.0.0.0:17 0.0.0.0:* The Netscreen does a fine job of firewalling, but I would like to further tighten up via iptables. With two NICs, I always seem to screw it up. I anyone has some text I can just insert into the proper place or some url pointers to some good setup scripts, it would be appreciated. Regards, Edward W. Ray |